MDVSA-2013:179

Problem description

Multiple security issues was identified and fixed in mozilla firefox:

Mozilla developers identified and fixed several memory safety
bugs in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption under
certain circumstances, and we presume that with enough effort at least
some of these could be exploited to run arbitrary code (CVE-2013-1682).

Security researcher Abhishek Arya (Inferno) of the Google Chrome
Security Team used the Address Sanitizer tool to discover a series of
use-after-free problems rated critical as security issues in shipped
software. Some of these issues are potentially exploitable, allowing
for remote code execution. We would also like to thank Abhishek for
reporting additional use-after-free and buffer overflow flaws in
code introduced during Firefox development. These were fixed before
general release (CVE-2013-1684, CVE-2013-1685, CVE-2013-1686).

Security researcher Mariusz Mlynski reported that it is possible to
compile a user-defined function in the XBL scope of a specific element
and then trigger an event within this scope to run code. In some
circumstances, when this code is run, it can access content protected
by System Only Wrappers (SOW) and chrome-privileged pages. This
could potentially lead to arbitrary code execution. Additionally,
Chrome Object Wrappers (COW) can be bypassed by web content to access
privileged methods, leading to a cross-site scripting (XSS) attack
from privileged pages (CVE-2013-1687).

Security researcher Nils reported that specially crafted web content
using the onreadystatechange event and reloading of pages could
sometimes cause a crash when unmapped memory is executed. This crash
is potentially exploitable (CVE-2013-1690).

Security researcher Johnathan Kuskos reported that Firefox is sending
data in the body of XMLHttpRequest (XHR) HEAD requests, which goes
agains the XHR specification. This can potentially be used for
Cross-Site Request Forgery (CSRF) attacks against sites which do not
distinguish between HEAD and POST requests (CVE-2013-1692).

Security researcher Paul Stone of Context Information Security
discovered that timing differences in the processing of SVG format
images with filters could allow for pixel values to be read. This
could potentially allow for text values to be read across domains,
leading to information disclosure (CVE-2013-1693).

Mozilla developer Boris Zbarsky found that when PreserveWrapper was
used in cases where a wrapper is not set, the preserved-wrapper flag
on the wrapper cache is cleared. This could potentially lead to an
exploitable crash (CVE-2013-1694).

Mozilla security researcher moz_bug_r_a4 reported that XrayWrappers
can be bypassed to call content-defined toString and valueOf methods
through DefaultValue. This can lead to unexpected behavior when
privileged code acts on the incorrect values (CVE-2013-1697).

The mozilla firefox packages has been upgraded to the latest ESR
version (17.0.7) which is unaffected by these security flaws.